ToddyCat installs Samurai and Ninja on Exchange

ToddyCat is a little-known group of cybercriminals, but already active since late 2020, when it hit several Asian companies by exploiting the Microsoft Exchange server ProxyLogon vulnerabilities. More recently, attacks have also been discovered in Europe and against desktop computers. Kaspersky researchers have identified two new malware called Samurai and Ninja. Backdoors and Trojans for Servers and Desktops The first wave of attacks were targeted against Microsoft Exchange servers using Samurai, a sophisticated backdoor that allows remote access from ports 80 and 443. Modular malware allows cybercriminals to control the target system and access The backdoor can also download the Ninja trojan which allows remote management by multiple operators at the same time. Both malware use various obfuscation techniques to leave no traces (files or processes) on the system and avoid detection by security solutions. The targets are mainly companies, but the researchers have also detected the presence of Ninja in desktop systems. The components of the trojan were distributed via zip archives sent with Telegram. As mentioned, malware is difficult to detect because it exploits legitimate Windows processes and ports also used by Microsoft Exchange. Therefore, advanced security solutions are needed, such as Bitdefender GravityZone Business Security. Obviously, all patches for the operating system and software must be installed.This article contains affiliate links: purchases or orders placed through these links will allow our site to receive a commission.

Categories:   Security